It’s no secret that the Internet of Things is full of insecure gadgets. All you need is one high profile incident to be flooded with terrifying headlines about how everything from robotic vacuum cleaners to smart sex toys can be hacked to spy on you. However, apparently some devices like Smarter’s IoT coffee machine can also be reprogrammed to go haywire and demand ransom from unsuspecting users.
This week, Martin Hron, a researcher with the security firm Avast, reverse engineered a $250 Smarter coffee maker as part of a thought experiment to potentially uncover an important flaw in the infrastructure of smart devices.
“I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router,” he wrote in a blog post detailing his methods.
His experiment was a success: After a week of tinkering, he effectively turned the coffee maker into a ransomware machine. When the user tries to connect it to their home network, it triggers the machine to turn on the burner, spew hot water, endlessly spin the bean grinder, and display a pre-programmed ransom message while beeping incessantly. The only way to get it to stop? Unplugging your now seemingly possessed coffee maker entirely.
“It was done to point out that this did happen and could happen to other IoT devices,” Hron said in an Ars Technica interview. “This is a good example of an out-of-the-box problem. You don’t have to configure anything. Usually, the vendors don’t think about this.”
You can watch a clip of the hack in action below, courtesy of Ars Technica’s Dan Goodin. I’m pretty sure this is exactly what it would look like if The Brave Little Toaster and Black Mirror had an unholy crossover.
Hron discovered that the coffee maker acts as a wifi access point and uses an unencrypted connection to link to its corresponding smartphone app, which is how the user interacts with their machine and hooks it up to their home wifi network. The app also pushes out firmware updates, which the machine received with “no encryption, no authentication, and no code signing,” pers Ars Technica, providing an easy exploit.
Upon learning this, he uploaded the Android app’s latest firmware version to a computer and reverse engineered it using IDA, an interactive disassembler and staple in any reverse engineer’s toolkit. The process also required disassembling the coffee maker to learn what CPU it used. Armed with this information, he wrote a python script that mimicked the coffee maker’s update process to implement the modified firmware and lines of script that actually trigger it to go haywire. Programming the machine to demand ransom wasn’t Hron’s first idea, though, as he wrote in the blog:
“Originally, we wanted to prove the fact that this device could mine cryptocurrency. Considering the CPU and architecture, it is certainly doable, but at a speed of 8MHz, it doesn’t make any sense as the produced value of such a miner would be negligible.”
There are some pretty clear limitations to this hack, however. For one, the attacker would need to either find a coffee maker within wifi range. One could trigger the attack remotely by hacking someone’s router, in which case the network owner has much bigger problems to address than a ransom-demanding coffee maker.
But Hron says the implications of this kind of hack are much more concerning. Through this exploit, attackers could render a smart gadget incapable of receiving future patches to fix this weakness. He also argues that attackers could program the coffee maker or other Smarter appliances with this vulnerability to attack any device on the same network without ever raising any alarm bells. Given the years-long and even decades-long lifespan of traditional appliances, this also begs the question of how long modern IoT device vendors plan on maintaining software support, Hron points out.
“...[W]ith the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS.”
And that does not sound good, to put things lightly.
If you’re interested in more details about the experiment, Hron has written more than 4,000 words detailing his methodology in a blog post, which you can check out here.
Update: 10/1/2020; 6:32 p.m.: To reassure customers who may be worried about the security of their own Smarter coffee maker, Smarter highlighted the fact that Hron was working with a first-generation model for this experiment (which has since been discontinued) and provided the following statement to Gizmodo:
“Smarter is committed to ensuring its smart kitchen range has the highest levels of security safeguards at its core, and all connected products sold since 2017 are certified to the UL 2900-2-2 Standard for Software Cybersecurity for Network-Connectable Devices.
A very limited number of first-generation units had been sold in 2016 and although updates are no longer supported for these models, we do review any legacy claims on a per customer basis in order to provide continued customer care.”